Volumetric distributed denial of service attack mitigation

This technology generally relates to detection and mitigation of denial of service attacks.

A Denial of Service (DoS) attack is a type of cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users. This may be accomplished by temporarily or indefinitely disrupting the services of a host connected to the Internet. One method for performing a DoS attack is flooding the targeted machine with superfluous requests in an attempt to overload its system. When this happens, the machine can no longer process legitimate requests, effectively blocking users from accessing the service or resource. One type of DoS attack is a Distributed Denial of Service (DDoS) attack. In a DDoS attack, the attacker uses multiple compromised computers to launch a coordinated attack against one target. This can make it more difficult to stop since the attack comes from many different IP addresses, making it challenging to distinguish legitimate user traffic from attack traffic. In a volumetric DDoS attack, multiple compromised computers are used to flood a targeted network or site with an immense volume of network traffic.

In an example embodiment, a method is implemented by a network traffic management system, wherein the method comprises: receiving a request to establish a network connection using a network traffic management module, wherein the network traffic management module executes before an allocation of resources for establishing the network connection; generating, using the network traffic management module, an identifier using the request, wherein the identifier comprises a source network address of the request and an additional identifier based on contents of the request; determining, using the network traffic management module, that the identifier is in a list of potential bad actor identifiers; and based on the determining: dropping the request, and preventing the resources for establishing the network connection from being allocated.

In another example embodiment, a system comprises one or more network traffic management modules, a memory comprising programmed instructions stored thereon, and one or more processors configured to be capable of executing the stored programmed instructions to: receive a request to establish a network connection using a network traffic management module, wherein the network traffic management module executes before an allocation of resources for establishing the network connection; generate, using the network traffic management module, an identifier using the request, wherein the identifier comprises a source network address of the request and an additional identifier based on contents of the request; determine, using the network traffic management module, that the identifier is in a list of potential bad actor identifiers; and drop the request, and prevent the resources for establishing the network connection from being allocated.

Another example embodiment comprises a non-transitory computer readable medium having stored thereon instructions comprising executable code that, when executed by one or more processors, causes the processors to: receive a request to establish a network connection using a network traffic management module, wherein the network traffic management module executes before an allocation of resources for establishing the network connection; generate, using the network traffic management module, an identifier using the request, wherein the identifier comprises a source network address of the request and an additional identifier based on contents of the request; determine, using the network traffic management module, that the identifier is in a list of potential bad actor identifiers; and based on the determining: drop the request, and prevent the resources for establishing the network connection from being allocated.

Another example embodiment comprises a network traffic management apparatus, comprising memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to: receive a first request to establish a first network connection using a first network traffic management module, wherein the first network traffic management module executes after an allocation of resources for establishing the first network connection; determine, using the first network traffic management module, that the first request is from a potential bad actor; generate, using the first network traffic management module, an identifier using the first request, wherein the identifier comprises a source network address of the first request and an additional identifier based on contents of the first request; store, using the first network traffic management module, the identifier generated using the first request in a list of potential bad actor identifiers; receive a second request to establish a second network connection using a second network traffic management module, wherein the second network traffic management module executes before an allocation of resources for establishing the second network connection; generate the identifier, using the second network traffic management module, using the second request; determine, using the second network traffic management module, that the identifier is in the list of potential bad actor identifiers; and based on the determining: drop the second request, and prevent the resources for establishing the second network connection from being allocated.

Volumetric distributed denial of service (DDoS) attacks can be challenging to mitigate due to the significant volumes of network traffic that they generate. Even in scenarios where mechanisms are employed to detect and block bad actors, the volume of resources that are consumed by processing the large number of connection requests can be enough to exhaust available server resources. For example, when a connection request is received by a server, the server may allocate resources (such as memory) for establishing the requested connection before any logic is executed to determine whether the request is from a potential bad actor. In such a scenario, if the server receives a large volume of connection requests, the resources allocated for establishing the requested connections can exhaust available server memory even when logic to detect and block bad actors is employed.

At least some of the technologies described herein can be used to address this problem by dropping connection requests from potential bad actors before resources for establishing the requested connections are allocated. A first network traffic management module (NTMM) and a second NTMM can be used to detect and mitigate DDoS attacks, wherein the first NTMM executes before connection resources are allocated and the second NTMM executes after connection resources are allocated. The first and second NTMMs can be configured to execute as parts of a connection request processing pipeline, wherein the first NTMM receives inbound connection requests first, and before connection resources are allocated; and the second NTMM receives the inbound connection requests subsequently, and after connection resources have been allocated. For example, the first NTMM can comprise an extended Berkeley Packet Filter (eBPF) express data path (XDP) program and the second NTMM can comprise a server application module (such as an NGINX module).

The first and second NTMMs can share access to a list of potential bad actor identifiers. The second NTMM can be configured to detect potential bad actors based on contents of received connection requests. If the second NTMM determines that a connection request is from a potential bad actor, the second NTMM can generate an identifier based on contents of the connection request and can add the identifier to the list of potential bad actor identifiers. In some embodiments, the identifier can comprise a source network address of the request and an additional identifier based on contents of the request. For example, the additional identifier can comprise a hash based on transport layer (TLS) handshake information.

When a subsequent connection request from the same source is received, the first NTMM can generate the identifier based on contents of the subsequent request and can search the list of potential bad actor identifiers for the generated identifier. If the identifier is found in the list, then the first NTMM can drop the request. Since the first NTMM executes before connection resources are allocated, the request can be dropped before any connection resource allocation occurs. Thus, in at least some scenarios, exhaustion of server resources by volumetric DDoS attacks can be prevented.

In a particular embodiment, the second NTMM can store a timestamp in the list of potential bad actor identifiers in association with the generated identifier. When a subsequent request is received from the same source, the first NTMM will not drop the request if a specified amount of time has not elapsed since the time represented by the timestamp. Once the specified amount of time has elapsed, the first NTMM will begin to drop requests from the identified source. In such an embodiment, the second NTMM can transmit a challenge to the sender identified as a potential bad actor. By correctly answering the challenge, the sender can establish that they are not a bad actor. If a response to the challenge is received before the specified time period has elapsed, the first NTMM will not drop the request and the request will be processed by the second NTMM. If the second NTMM receives the correct answer to the challenge, the second NTMM can remove the generated identifier, and the associated timestamp, from the list of potential bad actors. Thus, in at least some scenarios, misidentification of legitimate users as potential bad actors can be prevented by allowing users to prove they are legitimate within a specified window of time.

is a flowchart of an example methodfor detecting network connection requests from potential bad actors. Any of the example systems and apparatuses described herein can be used to perform all or part of the example method. For example, the network traffic management apparatus, depicted in, can be used to perform all or part of the example method.

is a block diagram of an example network traffic management apparatusfor mitigating distributed denial of service (DDoS) attacks. The network traffic management apparatuscan be implemented using a computing environment as described in more detail with reference to.

The network traffic management apparatuscomprises one or more processors, one or more communication interfaces, and a memory. The memorycan comprise programmed instructions stored thereon that can be executed by the one or more processors. The memorycomprises one or more connection resources-that can be allocated and used to manage network connections. The memoryfurther comprises a list of potential bad actor identifiers. Optionally, the memorycan comprise instructions for an operating system kernel. The network traffic management apparatusfurther comprises a first network traffic management modulethat executes before an allocation of resources for establishing a network connection and a second network traffic management modulethat executes after an allocation of resources for establishing a network connection. The network traffic management modulesandcan comprise hardware and/or software components. For example, one or both of the network traffic management modulesandcan comprise programmed instructions that are stored in the memoryand that can be executed by the one or more processors.

Referring to, at, a request to establish a network connection is received at a network traffic management module that executes after an allocation of resources for establishing the network connection. For example, the network traffic management apparatuscan receive a request to establish a network connection using one or more of the communication interfaces. The request can be processed using the network traffic management module, which executes after an allocation of resources for establishing a network connection.

At, it is determined that the request is from a potential bad actor. For example, the network traffic management modulecan determine if the request is from a potential bad actor. This can be done using an algorithm or rule set stored in the memory. In some embodiments, a machine learning model (not shown), such as a neural network, can be used to determine that the request is from a potential bad actor. The model can be trained using examples of network traffic, both from legitimate users and from known bad actors. Once the model has been trained, it can be used by the network traffic management moduleto analyze new connection requests in real-time. For each new request to establish a network connection, the network traffic management modulecan extract the relevant features and analyze them using the model to predict whether the connection request is from a legitimate user or a bad actor.

At, an identifier is generated that comprises a source network address of the request and an additional identifier based on contents of the request. For example, the network traffic management modulecan generate an identifier for the request that comprises a source network address of the request and an additional identifier based on contents of the request. The additional identifier can comprise a hash of the request contents or some other unique identifier derived from the request data.

In a particular example, the additional identifier comprises a hash based on transport layer security (TLS) handshake information. A TLS handshake can begin when a client connects to a server over a network using a TLS protocol. This handshake can allow the server and client to authenticate one another and negotiate encryption algorithms and cryptographic keys before the application protocol (such as HTTP) transmits or receives its first byte of data. The additional identifier can be generated based on various pieces of information that are exchanged during the TLS handshake process. For instance, the identifier could be generated based on one or more of a cipher suite, session identifier, random byte strings exchanged by the client and server, certificate data, or the like. The additional identifier can be generated using a hash function (such as SHA-256).

At, the identifier is stored in a list of potential bad actor identifiers. For example, the identifier can be stored in the list of potential bad actor identifiersin the memoryby the network traffic management module.

is a flowchart of an example methodfor dropping network connection requests from potential bad actors without allocating connection resources. Any of the example systems and apparatuses described herein can be used to perform all or part of the example method. For example, the network traffic management apparatusdepicted in, can be used to perform all or part of the example method.

At, a request to establish a network connection is received using a network traffic management module that executes before an allocation of resources for establishing the connection. For example, the network traffic manage module, which executes before allocation of connection resources, can receive the request to establish the network connection via one or more of the communication interfaces.

At, an identifier is generated that comprises a source network address of the request and an additional identifier based on contents of the request. For example, the network traffic management modulecan generate the identifier based on the contents of the request. The network traffic management modulecan be configured to generate identifiers in a same way as the network traffic management module. Thus, the network traffic management moduleand the network traffic management modulecan generate a same identifier for requests from a same sender.

At, it is determined that the identifier is in a list of potential bad actors. For example, the network traffic management modulecan determine if the generated identifier is in the list of potential bad actor identifiersstored in the memory.

At, the request is dropped. For example, the network traffic management modulecan terminate processing of the request when the generated identifier is found in the list of potential bad actor identifiers. In such a scenario, the request may not be passed on to any other components or systems for further processing.

At, an allocation of resources for establishing the network connection is prevented. For example, by using the network traffic management moduleto drop the connection before an allocation of connection resources (e.g.,-), the network traffic management apparatuscan prevent connection resources from being allocated.

is a system diagram of an example systemfor generating identifiers for multiple client computing devices-located behind a network address translation (NAT) gateway. The example systemcan be used to perform all or part of any of the example methods described herein.

A server computercan be configured to receive network connection requests from the client computing devices-via the NAT gateway. These requests can be processed by a network traffic management module. The network traffic management modulecan generate identifiers based on the received requests and can check to see if any of the generated identifiers are included in a list of potential bad actor identifiers.

Since the requests from the client computers-travel through the NAT gateway, they may appear to have a same source network address from the perspective of the server computer. For example, the NAT gatewaycan replace the source network addresses of the client computers-in the request headers with its own source network address. Thus, from the perspective of the server computer, it can appear as if all the connection requests from the client computers-originate from the NAT gateway. This can make it challenging to identify and block requests from a specific bad actor located behind the NAT gateway, since blocking connection requests using only the source network address can result in blocking requests from all the client computers-located behind the NAT gateway.

In at least some scenarios, this can be addressed by generating an additional identifier that, in combination with a source network address, can be used to uniquely identify the client computers-located behind the NAT gateway. For example, the network traffic management modulecan generate an additional identifier that comprises a hash based on TLS handshake information. In the example depicted in, the requests from the client computers-all arrive at the server computerwith headers that contain the source network address. However, the network traffic management modulecan generate additional identifiers-based on the contents of the connection requests. Using these additional identifiers, the server computercan determine which of the client computing devices-sent the various connection requests.

When a potential bad actor is identified, the additional identifier can be stored in the list of potential bad actorsin combination with a source network address. When a subsequent connection request is received, the network traffic management modulecan compare the source network address and generated additional identifier for the subsequent request to the source network addresses and additional identifiers stored in the list of potential bad actor identifiers. In the example depicted in, the network traffic management modulecan determine that a connection request from the client computeris from a potential bad actor since the combination of the source network addressand the additional identifieris stored in the list of potential bad actors.

are system diagrams of an example systemfor mitigating volumetric distributed denial of service (DDoS) attacks. The example systemcomprises a client computing deviceconfigured to communicate with a first network traffic management modulevia a network. The first network traffic management moduleis configured to execute before connection resources (e.g.,) for network connections are allocated. The example systemfurther comprises a second network traffic management moduleand a list of potential bad actor identifiers. The second network traffic management moduleis configured to execute after connection resources (e.g.,) for network connections are allocated. In at least some embodiments, the first network traffic management moduleand the second network traffic management modulecan execute on a same computing device. However, configurations where the network traffic management moduleand the network traffic management moduleare located on separate computing devices are also possible. The example systemcan be used to perform all or part of any of the example methods described herein.

In, the client computing devicetransmits a connection requestvia the network. The network traffic management modulereceives and processes the connection requestbefore connection resourcesare allocated. The network traffic management modulegenerates an identifierthat comprises a source network address (such as an IP address) and an additional identifier (such as a fingerprint value based on TLS handshake information) based on the connection request. The network traffic management modulechecks the list of potential bad actorsand determines that it does not contain the identifier.

In, connection resourcesare allocated and the connection requestis received by the network traffic management module. The network traffic management modulecan determine that the connection requestis from a potential bad actor. For example, the network traffic management modulecan use a machine learning model (not shown), such as neural network, to determine there is a high likelihood that the requestwas sent as part of a distributed denial of service attack. The network traffic management modulecan generate the identifierbased on the contents of the connection requestand can add the identifierto the list of potential bad actors.

In, a second connection requestis received by the network traffic management modulefrom the client computing device. The network traffic management modulegenerates the identifierbased on the contents of the connection requestand determines that the list of potential bad actorsnow contains the identifier. Based on the determination, the network traffic management modulecan drop the connection requestbefore the connection resourcesare allocated. Thus, in at least some scenarios, connection requests from bad actors can be identified and dropped before connection resources are allocated.

In some embodiments, it is possible that legitimate network connection requests may be misidentified as requests from bad actors. For example, when a machine learning model is used to identify potential bad actors, the model may mislabel a legitimate connection request as malicious. Such false positive scenarios can be addressed by using additional processes for vetting potential bad actors.

is a flowchart of an example methodfor vetting potential bad actors in a system for mitigating distributed denial of service (DDoS) attacks. Any of the example systems and apparatuses described herein can be used to perform all or part of the example method. For example, the example system, depicted incan be used to perform all or part of the example method.

At, an identifier that is generated using a request to establish a network connection and an associated timestamp is stored in a list of potential bad actors. For example, referring to, after determining the connection requestis from a potential bad actor, the network traffic management modulecan generate the identifierand store the identifierin the list of potential bad actorsalong with an associated timestamp. The timestampcan comprise a representation of a time when the identifieris added to the list. For example, the timestampcan comprise a numerical value that represents a number of seconds that have elapsed since an epoch (such as the Unix Epoch).

At, a challenge is transmitted in response to the request to establish the network connection. For example, referring to, a challengecan be transmitted in a response to the client computing device. The challenge can take the form of a question or task that a human using a web browser or legitimate application can answer/complete within a specified time limit, but that a malicious application (such as a denial of service bot) cannot answer/complete, or cannot answer/complete within the specified time limit.

At, a second request is received from the source of the first request. For example, referring to, a challenge responseis received in a request from the client computing device.

At, it is determined whether an amount of time that has elapsed since the associated timestamp is greater than a specified time limit. For example, referring to, the network traffic management modulecan generate the identifierbased on the request containing the challenge response, and can locate the entry for the identifierin the list of potential bad actors. The network traffic management modulecan then determine whether an amount of time that has elapsed since the time represented by the timestampis greater than a specified time limit.

If the amount of time that has elapsed is greater than the specified time limit then, at, the second request is rejected. For example, referring to, if the time that has elapsed between adding the entry for the identifierto the listand receiving the challenge responseis greater than the specified time limit, then the network traffic management modulecan reject the request containing the challenge response. All subsequent requests from the client computing devicecan also be rejected. Since the network traffic management moduleexecutes before connection resources are allocated, all subsequent requests from the client computing devicecan be rejected without any additional connection resources being allocated.

If the amount of time that has elapsed since the associated timestamp is not greater than the specified time limit then, at, it is determined whether the second request contains a correct answer to the challenge. For example, referring to, the network traffic management modulecan determine whether the challenge responsecontains a correct answer to the challenge.

If the second request contains the correct answer to the challenge then, at, the identifier is removed from the list of potential bad actors. For example, referring to, the network traffic management modulecan remove the entry for the identifierfrom the list of potential bad actors.

If the second request does not contain the correct answer to the challenge then, at, the second request is rejected. For example, referring to, if the challenge responsedoes not contain a correct answer to the challenge, the network traffic management modulecan reject the request that contains the challenge responseand leave the entry for the identifierin the list of potential bad actors. If a correct answer to the challengeis not received within the specified time limit then all subsequent requests from the client computing devicecan be rejected by the network traffic management modulebefore connection resources are allocated.

illustrates an example client-server architecture(also referred to as a network traffic management system) that incorporates a network traffic management apparatus. The client-server architectureincludes a network traffic management apparatusthat is coupled to one or more server computers (such as server computersA-N) and one or more client devices (such as client computing devicesA-N) via one or more communication networks (such as the communication networksA andB). The server computersA-N can communicate with one or more additional server computer(s) that are accessible via the communication networksA. As one example, the communication networkA can include a public network (e.g., the Internet) and devices attached to the networkA can be accessed using public network addresses; the communication networkB can include a private network and devices attached to the networkB can be accessed using private network addresses.

The communication networksA-B can include various wired and/or wireless communication technologies, such as a local area network (LAN), a wide area network (WAN), an intranet, the Internet, a public switched telephone network (PSTN), and so forth. The devices connected to the communication networksA-B can communicate with each other using various communications protocols, such as transmission control protocol with Internet protocol (TCP/IP) over Ethernet and/or other customized or industry-standard protocols. The communication protocols can be used to transmit information over the networksA-B using packet-based messages (e.g., Ethernet-based packet data networks) and/or other application programming interfaces (APIs). An API is a programmatic interface (e.g., a set of methods and/or protocols) for communicating among different modules. The communication networksA-B can include various network devices, such as switches (multilayer or single-layer), routers, repeaters, gateways, network bridges, hubs, protocol converters, bridge routers, proxy servers, firewalls, network address translators, multiplexers, network interface controllers, wireless network interface controllers, modems, line drivers, and wireless access points, for example. As illustrated, the network traffic management apparatusis positioned in-line between the client computing devicesA-N and the server computersA-N so that the network traffic management apparatuscan intercept all network traffic flowing between the different networksA andB. In other examples, the network traffic management apparatus, the server computerA-N, and the client devicesA-N can be coupled together via other topologies. As one specific example, the server computersA-N can be integrated within the network traffic management system(e.g., server computer functions can be implemented in software within one or more devices of the network traffic management apparatus). It should be appreciated by one of ordinary skill in the art having the benefit of the present disclosure, that the network topology illustrated inhas been simplified and that multiple networks and networking devices can be utilized to interconnect the various computing systems disclosed herein. Additionally, one or more of the devices of the client-server architecturein these examples can be in a same or a different communication network including one or more public, private, or cloud networks, for example.

Generally, the server computersA-N, the client devicesA-N, and the network traffic management systemcan perform various computing tasks that are implemented using a computing environment, such as the computing environment described in more detail with respect to. The computing environment can include computer hardware, computer software, and combinations thereof. As a specific example, the computing environment can include general-purpose and/or special-purpose processor(s), configurable and/or hard-wired electronic circuitry, a communications interface, and computer-readable memory for storing computer-executable instructions to enable the processor(s) to perform a given computing task. The logic to perform a given task can be specified within a single module or interspersed among multiple modules. As used herein, the terms “module” and “component” can refer to an implementation within one or more dedicated hardware devices or apparatus (e.g., computer(s)), and/or an implementation within software hosted by one or more hardware devices or apparatus that may be hosting one or more other software applications or implementations.

The client devicesA-N can include any type of computing device that can exchange network data, such as mobile communication devices, laptop computers, desktop computers, tablet computers, virtual machines executing within a cloud-computer-based environment, and so forth. The client devicesA-N can run interface applications, such as web browsers or standalone client applications, which may provide an interface to communicate with (e.g., make requests for, and receive content stored on) one or more of the server computersA-N via the communication network(s)A andB. The client devicesA-N can further include an output device (such as a display screen or touchscreen (not illustrated)) and/or an input device (such as a keyboard (not illustrated)). Additionally, one or more of the client devicesA-N can be configured to execute software code (e.g., JavaScript code within a web browser) in order to log client-side data and provide the logged data to the network traffic management apparatusor the server computersA-N.

The server computersA-N can include any type of computing device that can exchange network data. For example, the server computersA-N can exchange network data with the client devicesA-N and with each other. As another example, the server computersA-N can exchange communications along communication paths specified by application logic in order to facilitate a client-server application interacting with the client devicesA-N. Examples of the server computersA-N can include application servers, database servers, access control servers, and encryption servers. Accordingly, in some examples, one or more of the server computersA-N process login and other requests received from the client devicesA-N via the communication network(s)A andB according to the Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS) application-layer protocol. A web application may be operating on one or more of the server computersA-N and transmitting data (e.g., files or web pages) to the client devicesA-N (e.g., via the network traffic management apparatus) in response to requests from the client devicesA-N. The server computersA-N can be hardware and/or software and may represent a system with multiple servers in a pool, which may include internal or external networks.

While the server computersA-N are illustrated as single devices, one or more actions of each of the server computersA-N may be distributed across one or more distinct network computing devices that together comprise one or more of the server computersA-N. Moreover, the server computersA-N are not limited to a particular configuration. Thus, the server computersA-N may contain network computing devices that operate using a coordinated approach, whereby one of the network computing devices of the server computersA-N operate to manage or otherwise coordinate operations of the other network computing devices. Each of the server computersA-N can operate as a networked computing device within a cluster architecture, a computing device within a peer-to peer architecture, a virtual machine, or a resource within a cloud-based computer architecture, for example. Thus, the technology disclosed herein is not to be construed as being limited to a single environment and other configurations and architectures are also envisaged. For example, one or more of the server computersA-N can operate within the network traffic management apparatusitself rather than as a stand-alone server device communicating with the network traffic management apparatusvia communication networkB. In this example, the one or more of the server computersA-N operate within the memory of the network traffic management apparatus.